Jump to content
MakeWebGames

Just want some advice on securing my game.


Jesse60905

Recommended Posts

Ok I need some clarification on securing my game. So far I have almost finished adding striptags to all of my user-inputted fields. Here is the info I need to know.

What is the difference between striptags and mysql_real_escape_string?

Is striptags better or worse then mysql_real_escape_string?

How would I go about starting to secure my game from header injections*?

If somebody could give some clarification on these subjects so I can start work on it that would be awesome.

Thanks,

Jesse B.

* - May be something else. Hopefully you will understand what I mean.

Link to comment
Share on other sites

Re: Just want some advice on securing my game.

Securing against header injections is pretty simple..

 

$headerinject = array("Content-Type:",
                    "MIME-Version:",
                    "Content-Transfer-Encoding:",
                    "bcc:",
                    "cc:");

                    foreach($_POST as $k => $v){
  foreach($headerinject as $v2){
      if(strpos($v, $v2) !== false){
          logBadRequest();
          header("HTTP/1.0 403 Forbidden");
              exit;
      }
  }
}     

unset($k, $v, $v2, $allowed, $headerinject);

 

Alot of these security functions can be found on google. ^^^ Was, just edited a little bit.

Link to comment
Share on other sites

Re: Just want some advice on securing my game.

Thanks.

 

$headerinject = array("Content-Type:",
                    "MIME-Version:",
                    "Content-Transfer-Encoding:",
                    "bcc:",
                    "cc:");

                    foreach($_POST as $k => $v){
  foreach($headerinject as $v2){
      if(strpos($v, $v2) !== false){
          logBadRequest();
          header("HTTP/1.0 403 Forbidden");
              exit;
      }
  }
}     

unset($k, $v, $v2, $allowed, $headerinject);

 

I take it I put that in header? I'm gonna test it now anyways.

Link to comment
Share on other sites

  • 3 weeks later...

Re: Just want some advice on securing my game.

I think before:

 

function userdata($ir,$lv,$fm,$cm,$dosessh=1)
{
global $db,$c,$userid, $set;
$IP = ($_SERVER['HTTP_X_FORWARDED_FOR'])
   ?  $_SERVER['HTTP_X_FORWARDED_FOR']
   :  $_SERVER['REMOTE_ADDR'];
$db->query("UPDATE users SET laston=unix_timestamp(),lastip='$IP' WHERE userid=$userid");
if(!$ir['email'])
{
global $domain;
die ("<body>Your account may be broken. Please mail admin@{$domain} stating your username and player ID.");
}
if($dosessh && ($_SESSION['attacking'] || $ir['attacking']))
{
print "You lost all your EXP for running from the fight.";
$db->query("UPDATE users SET exp=0,attacking=0 WHERE userid=$userid");
$_SESSION['attacking']=0;
}
$enperc=(int) ($ir['energy']/$ir['maxenergy']*100);
$wiperc=(int) ($ir['will']/$ir['maxwill']*100);
$experc=(int) ( $ir['exp']/$ir['exp_needed']*100);
$brperc=(int) ($ir['brave']/$ir['maxbrave']*100);
$hpperc=(int) ($ir['hp']/$ir['maxhp']*100);
$enopp=100-$enperc;
$wiopp=100-$wiperc;
$exopp=100-$experc;
$bropp=100-$brperc;
$hpopp=100-$hpperc;
$d="";
$u=$ir['username'];
if($ir['donatordays']) { $u = "[b]{$ir['username']}[/b]";$d="[img=donator.gif]"; }
Link to comment
Share on other sites

Re: Just want some advice on securing my game.

 

Thanks.

 

$headerinject = array("Content-Type:",
                    "MIME-Version:",
                    "Content-Transfer-Encoding:",
                    "bcc:",
                    "cc:");

                    foreach($_POST as $k => $v){
  foreach($headerinject as $v2){
      if(strpos($v, $v2) !== false){
          logBadRequest();
          header("HTTP/1.0 403 Forbidden");
              exit;
      }
  }
}     

unset($k, $v, $v2, $allowed, $headerinject);

 

I take it I put that in header? I'm gonna test it now anyways.

did it work when u put it in header

Link to comment
Share on other sites

Re: Just want some advice on securing my game.

 

Thanks.

 

$headerinject = array("Content-Type:",
                    "MIME-Version:",
                    "Content-Transfer-Encoding:",
                    "bcc:",
                    "cc:");

                    foreach($_POST as $k => $v){
  foreach($headerinject as $v2){
      if(strpos($v, $v2) !== false){
          logBadRequest();
          header("HTTP/1.0 403 Forbidden");
              exit;
      }
  }
}     

unset($k, $v, $v2, $allowed, $headerinject);

 

I take it I put that in header? I'm gonna test it now anyways.

did it work when u put it in header

You've been told where to put it...

 

For security functions I'd put in global func's or maybe include a security.php into mysql.php so that the functions are included on all pages.

Link to comment
Share on other sites

  • 3 months later...

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...